package rbac
user-role assignments
group_roles := {
"wjq": ["risk"],
}
role-permissions assignments
role_permissions := {
"risk": [
{"action": "publish", "env": "dev", "proname": "udw-es-0"},
{"action": "publish", "env": "dev", "proname": "mbs-es-0"},
{"action": "publish", "env": "dev", "proname": "udw-es-2"},
{"action": "publish", "env": "dev", "proname": "mbs-es-2"},
{"action": "publish", "env": "uat", "proname": "udw-es-0"},
{"action": "publish", "env": "uat", "proname": "mbs-es-0"},
{"action": "publish", "env": "uat", "proname": "mbs-es-2"},
{"action": "publish", "env": "uat", "proname": "udw-es-2"}
],
}

default allow = false
allow {
# lookup the list of roles for the user
roles := group_roles[input.user]
# for each role in that list
r := roles[]# lookup the permissions list for role rpermissions := role_permissions[r]# for each permissionp := permissions[]
# check if the permission granted to r matches the user's request
p == {"action": input.action, "env": input.env, "proname":input.proname}
}
user_roles := {
"wjq": ["risk"],
}
user_permissions := {
"risk": [
"publish",
"help",
"cancel",
"how"
],
}
default userallow = false
userallow {
roles := user_roles[input.user]
r := roles[]permissions := user_permissions[r]p := permissions[]
p == input.action
}